Report ISO 22000:2018 Understanding the international standard Contents 01. Introduction 3 02. Purpose of this report 4 03. Executive summary 5 3.1 Summary of principal changes: Moving from ISO 22000:2005 to ISO 22000:2018 5 3.2 Food safety-specific requirements 7 3.3 FSSC 22000 8 04. Clause-by-clause review 9 05. Conclusions 65 Appendix A: Summary of required documented information 66 Appendix B: FSSC 22000 and GFSI 67 quality.org | 1 01. Introduction Since its launch in 2005, ISO 22000 has been adopted as the food safety management system (FSMS) standard of choice for more than 32,000 organisations worldwide. In addition, over 23,000 organisations have been certified under the FSSC 22000 private certification scheme, whose core requirements are based on ISO 22000. Given that many of the organisations operating to the ISO 22000 or FSSC 22000 standards are global players in the food manufacturing and processing sectors, these figures illustrate the considerable influence that the standard exerts on global food safety. ISO 22000:2018 was the first major revision to the standard since its launch. It affects not only those organisations that wish to maintain their system certification, but also other interested parties such as certifying bodies, that are involved in the associated auditing programmes. quality.org | 3 02. Purpose of this report This report is intended to inform CQI members and IRCA certificated auditors who have a relevant interest in food safety management systems, and to offer insight and assistance to those implementing, managing and auditing ISO 22000:2018-based management systems. ISO 22000:2018 adopts the high-level structure of Annex SL, the shared framework that is common to all new ISO standards. It also adds disciplinespecific requirements that must be considered by all food safety professionals. Section 3 of this report comprises an executive summary providing a short overview of the standard, its application and how it compares with the 2005 version. In section 4, we discuss the contents of ISO 22000:2018, describing each clause in plain English and considering the implications for those tasked with overseeing the operation of food safety management systems, and those engaged in auditing them. In section 5 we summarise the benefits we expect all interested parties will reap from the application of ISO 22000:2018. 4 | ISO 22000:2018 | Understanding the international standard 03. Executive summary As with other recently revised ISO standards including ISO 9001 and ISO 14001, a three-year transition period (ending 29 June 2021) was initially set for organisations with certified ISO 22000:2005 management systems wishing to gain certification to ISO 22000:2018. However, owing to the 2020 Covid-19 pandemic, the International Accreditation Forum (IAF) extended the transition period by six months to 29 December 2021, and confirmed that transition audits may be done using remote audit techniques. 3.1 Summary of principal changes: Moving from ISO 22000:2005 to ISO 22000:2018 CONTEXT (Clause 4) Organisations are required to identify any external and internal issues that may affect the ability of their food safety management system to deliver its intended outcomes. These outcomes are the continual improvement of food safety performance, fulfilment of legal and other requirements, and achievement of food safety objectives. Organisations are also required to determine the relevant needs and expectations of their relevant interested parties – i.e. those individuals and organisations that can affect, be affected by, or perceive themselves to be affected by, organisations’ decisions or activities. LEADERSHIP (Clause 5) Top management are required to demonstrate that they engage in key FSMS activities, as opposed to simply ensuring that these activities occur. This means there is a need for top management to be seen to be actively involved in the operation of the FSMS and accountable for its results. RISK-BASED THINKING (Clause 6) Organisations must demonstrate that they have determined, considered and, where deemed necessary, taken action to address any risks and opportunities that may affect (either positively or negatively) the ability of their FSMS to deliver its intended outcomes. These risks can be categorised in two levels: a) policy level, usually managed by the top management and related to the organisation’s strategic planning and views, and b) operational level, which covers those risks related directly to food safety, and already addressed by ISO 22000:2005 through the application of the HACCP (hazard analysis and critical control points) technique and control measures like CCPs (critical control points) and OPRPs (operational prerequisite programmes). quality.org | 5 “There has been a conscious attempt to revisit the wording of the standard with a view to making the requirements easier to understand and to aid its translation” COMMUNICATION (Clause 7) Communication with interested parties plays an important role in an effective FSMS. Organisations need to be sure that the information provided is consistent with the information generated within the FSMS, i.e. that it is accurate, timely and properly directed. OPERATIONS (Clause 8) Organisations need to control their operational processes by a) managing temporary and permanent changes under controlled conditions, b) ensuring that outsourced processes are controlled, c) controlling the procurement of products and services, and d) ensuring that all staff meet the requirements of the FSMS. IMPROVEMENT (Clause 10) Improving the organisation’s food safety performance and the food safety management system (as two separate issues) was already required by ISO 22000:2005. In ISO 22000:2018, these requirements are stressed in several clauses as one of the functions of the FSMS. TERMINOLOGY (Clause 3) This clause contains the terms and definitions used in the standard, irrespective of whether they come from Annex SL or were added by the technical committee for food safety management systems, ISO/TC 34/SC17. The revised standard contains many notes for clarification of the context for terms and definitions. ANNEXES ISO 22000 has two informative annexes. The first provides a comparison between ISO 22000:2018 and the Codex HACCP system published by the UN Food and Agriculture Organization’s Codex Alimentarius Commission. The second provides a cross reference between the revised 2018 version of ISO 22000 and the earlier 2005 version. DOCUMENTED INFORMATION References to requirements for documents and records have been replaced by the term “documented information”. “Maintained documents” comprise procedures, policies, plans etc. that need to be available to perform an activity, while “retained documents” contain retrievable information e.g. of measurement and monitoring. Control of documented information continues to be a requirement. CLARITY There has been a conscious attempt to revisit the wording of the standard with a view to making the requirements easier to understand and to aid its translation. 6 | ISO 22000:2018 | Understanding the international standard 3.2 Food safety-specific requirements The main food safety-specific additions to the basic Annex SL requirements are related to: » Planning of changes (6.3) » Prerequisite programmes (8.2) » Traceability system (8.3) » Emergency preparedness and response (8.4) » Hazard control (8.5) » Updating the information specifying the PRPs and the hazard control plan (8.6) » Control of monitoring and measuring (8.7) » Verification related to PRPs and the hazard control plan (8.8) » Control of product and process nonconformities (8.9) Many of these were included in the previous version of the standard. In ISO 22000:2018 they have been revised and upgraded to fit into a more strategically positioned management system. quality.org | 7 3.3 FSSC 22000 Version five of FSSC 22000 was published by Foundation FSSC 22000 in June 2019, 12 months after the initial version of ISO 22000:2018. It follows the structure of ISO 22000:2018, which means it is far more aligned with the new ISO high-level structure than the previous version, FSSC 22000 v4.1.The FSSC 22000 v5 standard also follows ISO 22000:2018 in many other key improvements, including the use of two interdependent and linked PDCA (Plan-Do-Check-Act) cycles, plus the distinction between risk and opportunity of the organisational management systems and strategic goals as a whole, as well as risks at an operational level (clause 8 of FSSC 22000 v5). As ISO 22000:2018 has undergone a significant update, some of the FSSC-specific requirements in v5 have been condensed. For example, FSSC 22000 v5 clause 2.5.1 Management of services has been shortened, because this is now part of ISO 22000:2018 clause 7.1.6. However, Management of laboratory services remains as an additional FSSC 22000 requirement. The harmonisation of the two standards is likely to be welcomed by organisations in the food and beverage supply chain operating to one or the other, or even both across their various sites. Full clause-by-clause change analysis of FSSC 22000 v5 can be found on BSI’s website, bsigroup.com. For more on FSSC 22000’s relationship to the Global Food Safety Initiative (GFSI), see Appendix B. 8 | ISO 22000:2018 | Understanding the international standard 04. Clause-by-clause review Note: The interpretations of the requirements of ISO 22000 contained in this document are those of the CQI. Other organisations may interpret the requirements of the standard differently. As such, this document should not be viewed as a definitive reference source for this international standard; indeed, only documentation published by the relevant ISO committee, ISO/TC 34/SC17, can fulfil this purpose. Please note: The CQI is not permitted to quote from the standard due to copyright restrictions. Anyone needing the exact wording should source the standard from a legitimate supplier. This section of the report aims to: » simplify the requirements of each clause of ISO 22000 into language that is easier to understand » identify the implications of the requirement for food safety professionals (food safety managers, directors, system implementers) » identify the implications of the requirement for audit professionals Introduction The introduction to ISO 22000:2018 reminds us that organisations are responsible for the food safety issues of their involvement in the food chain. Organisations can demonstrate that they are fulfilling this responsibility by implementing a food safety management system based on ISO 22000, which can assure customers and consumers that they can consistently meet food safety requirements and relevant legal requirements. Implementing an FSMS conforming to ISO 22000 also enables organisations to manage and control their food safety hazards and improve their food safety performance. The implementation of an FSMS is a strategic and operational decision for organisations. The success of a food safety management system depends on leadership, commitment and participation from all levels and functions in the organisation. quality.org | 9 “Users of the standards must appreciate that the adoption of ISO 22000 does not necessarily guarantee a specific level of food safety performance” Top management input is essential to achieving these benefits. Managers must recognise their role in effectively addressing food safety risks and opportunities, in integrating food safety management into the organisation’s business processes, strategic direction and decision-making and, most of all, by incorporating sound food safety governance into the organisation’s overall management system. Users of the standards must appreciate that the adoption of ISO 22000 does not necessarily guarantee a specific level of food safety performance. Two organisations with similar activities may have different interested parties, may face different external and internal issues, may start implementing their food safety activities from different baselines and may wish to improve at different rates, and yet both can conform to the requirements of the standard. Clauses 1 to 3 of the standard set out its scope of application, normative references and terms and definitions. The information contained in clause 3, in particular, is important in understanding subsequent clauses, and must not be overlooked. Clauses 4 to 10 contain the requirements to be met during the implementation of the FSMS and during its conformity assessment. Clause 4 sets the context for the FSMS itself and its constraints (internal and external issues and the requirements of interested parties), while clause 5 defines the leadership “engine” that drives the Plan-Do-Check-Act (PDCA) cycle embodied in the framework of the standard. Clauses 6 to 10 follow the PDCA cycle. The relationship can be seen as follows: 1 PLAN » Plan in clause 6 4 2 ACT DO 3 CHECK 10 | ISO 22000:2018 | Understanding the international standard » Do in clauses 7 and 8 » Check in clause 9 » Act (for improvement) in clause 10 In addition to the 10 main clauses, there are two annexes that provide a comparison between Codex HACCP and ISO 22000:2018 as well as a cross reference between the revised 2018 version and the earlier 2005 version. There is also a bibliography which makes reference to other related ISO standards and other documents relating to food safety. In the standard, the following terms are used: a. “shall” indicates a requirement b. “should” indicates a recommendation c. “may” indicates permission d. “can” indicates a possibility or a capability Note that a) is mandatory while b), c) and d) are optional at the discretion of the user. However, organisations may benefit from assessing and justifying the reasons for not implementing these optional requirements. In many sections a note is included for guidance in understanding or clarifying the associated requirement. These notes are not, in themselves, requirements. Some entries in clause 3 provide additional information that supplements the terminology and can contain provisions relating to the use of a term. Any organisation that wishes to demonstrate conformity to the standard can make a self-determination and self-declaration, request interested parties to confirm its conformance, have its self-declaration reviewed by third parties, or get its FSMS certified by independent third parties, usually accredited certification bodies. quality.org | 11 1. Scope This section lays down the foundation of a food safety management system to enable an organisation to provide products and services that are safe for their intended use, as well as improving its food safety performance. This will involve complying with food safety legislation, meeting customer food safety requirements, communicating food safety issues to relevant parties, delivering the organisation’s food safety policy and demonstrating conformance to the standard either by self-declaration or by external certification. This standard is applicable to organisations of any size and type, engaged in any kind of activity associated with the food chain. However, it does not state any specific criteria for food safety performance, does not prescribe any specific format for the FSMS, and does not address issues like product quality or environmental impact in as far as they do not affect the food safety of products and processes. The standard applies to any and all sizes of organisation including those that may use external resources to assist with their conformance to requirements both for initial implementation and ongoing maintenance. 2. Normative references There are no normative references applicable to this standard. There is no other standard or document that contains requirements in addition to those included in the main text (clauses 4 to 10). 3. Terms and definitions This section contains the common terms and core definitions included in Annex SL, plus those terms and definitions added to complement the food safety-specific text drafted by the technical committee ISO/TC 34/SC17. There are some terms that are self-explanatory and can be used straightforwardly. However, there are a few whose definitions need to be more carefully considered in order to fully understand the requirements in which they are used. Key terms that deserve to be analysed in detail are: action criterion, documented information, effectiveness, critical control point (CCP), measurement, monitoring, interested party, outsource and risk. 12 | ISO 22000:2018 | Understanding the international standard 4. Context of the organisation 4.1 Understanding the organisation and its context INTERPRETATION ISO 22000 is focused on food safety. However, addressing everyday legal and operational food safety issues may not be enough to ensure that the FSMS achieves its intended outcomes. The standard requires organisations to move beyond this, and to identify, review and keep updated, internal and external issues that are relevant to the organisation’s purpose, and that may affect its ability to achieve the intended outcomes of the FSMS. External issues may, for example, be related to government policy, economics, society, technology, finance, legislation, environment, supply chain and defence, that can represent a threat or opportunity to the effective operation of the organisation’s FSMS. Internal issues may be related to governance, strategies, culture, activities, products and services, infrastructure, capabilities, cybersecurity, food fraud, food defence or other issues that might constitute a strength or weakness of the organisation’s FSMS. The standard does not prescribe who within an organisation will be responsible for complying with this requirement. Nevertheless, it is highly probable that top management will be closely involved – these issues are likely to be related to strategic and business process elements of the organisation, and must be reviewed during planned management review meetings. The standard does not require organisations to document this contextual information. However, it would be wise, for control and demonstration purposes, to maintain at least some of this information in documented form. Some of the contextual issues determined by the organisation may result in risks and opportunities to the organisation’s FSMS. In clause 6.1, organisations are required to determine which ones pose a potential risk or opportunity, and to take proportionate action to address them. Implications for food safety professionals Most organisations should already be successfully monitoring internal and external issues that have the potential to affect not only their FSMS but the whole organisation. quality.org | 13 “Auditors will also need to understand the external and internal issues typically experienced in organisations” The standard requires the organisation to use this knowledge to establish the scope of its FSMS, to design, implement and continually improve it, and to determine risks and opportunities associated with food safety. Food safety professionals are used to dealing mainly with everyday operational issues. Now, they will need to embrace a wider picture, taking into account how food safety matters are embedded in the organisation’s business environment. They will likely be required to share their knowledge and experience with top management. In many organisations, the dialogue between food safety professionals and top management is mainly focused on operational aspects of food safety. This requirement (and others in the standard) represents a good opportunity for food safety professionals to expand the dialogue with top management to cover strategic matters, if such exchanges do not already take place. Implications for audit professionals Auditors will need to allow additional time to prepare for audits in order to establish their understanding of the context in which audited organisations operate. The preparation for the audit may include a thorough search of all available information on the organisation itself (e.g. from the organisation’s website) and on the food chain sector (e.g. information on business trends and the state of the global market and natural environment). Auditors will also need to understand the external and internal issues typically experienced in organisations and must be ready and able to challenge top management if they believe an organisation’s interpretation of its context is deficient or incorrect. Like food safety professionals, auditors will have to be aware of generic issues related to the business life of organisations, and not limit their interactions with top management to operational food safety issues. A thorough familiarity with the organisation’s processes and its role in the food chain, will be vital. Auditors will be required to audit this requirement with the top management. This represents quite a challenge to the auditor skillset. Auditing this requirement only with middle managers or with the food safety manager or team leader will probably not cover the required scope. Evidence needs to be obtained to provide assurance that organisations are reviewing and regularly updating the external and internal issues that they have identified. If the organisation decides not to maintain documented information on the relevant issues, this will pose a challenge to auditors, and face-to-face interviews will be essential. 14 | ISO 22000:2018 | Understanding the international standard 4.2 Understanding the needs and expectations of interested parties INTERPRETATION The first step is to identify the organisation’s “interested parties” as defined in clause 3.23 of the standard. Examples of interested parties include regulatory authorities, suppliers, contractors, subcontractors, owners, customers, local government agencies and trade organisations. The second step is to determine which of those interested parties are relevant to the FSMS. The third step is to determine which needs and expectations of those relevant interested parties may be associated with the FSMS. This clause requires organisations to determine, review and regularly monitor information on the relevant needs and expectations of interested parties. The term “relevant” has to be read as “pertinent to food safety”, and it is the organisation, not the auditor, who decides what is relevant and what is not. Some of these requirements may result in risks and opportunities to organisations. In clause 6.1, organisations must determine which requirements represent a potential risk or opportunity and take action to address them. As in clause 4.1, the standard does not require organisations to keep contextual information documented. However, it would be wise, for control and demonstration purposes, to maintain key information in documented form. Implications for food safety professionals It is easy to imagine that ISO 22000, being a food safety-related standard, will establish requirements mainly affecting food safety professionals. But as in clause 4.1, top management need to play a key role. Food safety professionals can assist management by playing the role of facilitator or providing support to their decision-making on food safety policy and strategy. However it is top management who must decide, and provide information on, what needs and expectations are relevant to the organisation. quality.org | 15 Note that the standard does not require all requirements of all interested parties to be met. The idea is that meeting the relevant requirements of interested parties (i.e. those that pose unacceptable risks or present opportunities) will allow the organisation to be in a better position to ensure that the FSMS produces the expected results (see clause 1). Implications for audit professionals The comments on implications for audit professionals in clause 4.1 are fully applicable to clause 4.2 also. 4.3 Determining the scope of the FSMS INTERPRETATION When designing the FSMS, the organisation has to define its scope, which sets its boundaries, its organisational functions, and the activities, products and services within the organisation’s control or influence that can have an impact on its food safety performance. When defining the scope of its FSMS, an organisation needs to: a. consider the internal and external issues it faces as part of the context b. take into account legal requirements c. take into account the requirements of relevant parties The scope of the FSMS has to be documented. Implications for food safety professionals An organisation has the freedom to define its own FSMS boundaries. It may choose to develop an FSMS for the entire organisation or for some specific part of the organisation – but only if the top management of that part of the organisation has the authority and resource to implement the FSMS. The credibility of an organisation’s FSMS depends on, among other factors, the choice of the FSMS scope. In order not to mislead interested parties, the scope should not exclude activities, products and services, internal or external, that have a significant impact on food safety performance or that are related to legal requirements. As was the case with clauses 4.1 and 4.2, the definition of the scope should be decided by top management. Food safety professionals may assist them in this, but it is clearly a strategic decision for the organisation. 16 | ISO 22000:2018 | Understanding the international standard “An organisation has the freedom to define its own FSMS boundaries” Implications for audit professionals Auditors must gather evidence that the scope has been correctly defined considering the organisation’s context and taking into account the applicable legal requirements as well as the organisation’s activities, products and services. Auditors will also have to evaluate the accuracy of the scope as derived by the organisation and determine if, as defined, the scope may mislead interested parties on what is and is not covered by the FSMS. Auditors will also need to verify that the organisation’s scope is maintained as documented information and is up-to-date. quality.org | 17 4.4 Food safety management system INTERPRETATION Clause 4.4 sets out high-level generic requirements for the food safety management system. Organisations have to establish a management system that complies with all requirements of ISO 22000. Once established, the FSMS needs to be implemented, maintained and continually improved. When developing the management system, the organisation has to determine the processes needed and how they interact. It is also expected that the processes included in the FSMS will, whenever practicable, be fully integrated into the business processes of the organisation. When developing the FSMS, and once all the processes needed have been identified, the organisation has to determine which ones, if any, will be outsourced or externally provided. The outsourced processes will have to remain under the control of the FSMS, as established in clause 8.1. Implications for food safety professionals The organisation has the authority to decide how it will meet the requirements in clause 4.4. Food safety professionals will have a key role in the development of the FSMS. To do so, they will have to thoroughly research the organisation, and understand all its processes and their interactions. In the case of an FSMS applied to a specific part of an organisation, they will have to identify which policies and processes applied in other parts of the organisation may need to be incorporated into the FSMS being developed. Implications for audit professionals This clause contains high-level requirements that span across all other clauses of the standard. Auditors will need to take this into account when auditing all other requirements, and will then need to make a high-level evaluation as to the organisation’s degree of conformance with all the requirements in the standard. Raising a nonconformity against this requirement would only be possible if auditors find evidence of issues that span most of the FSMS processes and raise serious doubt as to whether a viable FSMS is in existence. 18 | ISO 22000:2018 | Understanding the international standard 5 Leadership 5.1 Leadership and commitment INTERPRETATION This is a key clause and is fundamental to the whole standard. If it is not followed in its basic and profound meaning, the whole management system may still achieve some good results, but will fail to reach its full potential. With reference to the food safety management system, top management must demonstrate leadership and commitment to everyone in the organisation, as well as to other interested parties such as suppliers and customers. This is something that top management must demonstrate in tangible ways. This starts with them accepting accountability for the effectiveness of the FSMS, being involved where and when necessary, communicating what is required and taking action accordingly. They must ensure that the food safety policy and objectives are consistent with the organisation’s overall strategic direction and the context in which the organisation is operating. They must use their authority to ensure that the objectives of the FSMS are realistic and compatible with the food safety policy of the organisation. In addition, top management must ensure that the food safety policy is communicated, understood and applied across the organisation and that the FSMS achieves the intended results. Top management must also ensure that the requirements of the FSMS are integral to the organisation’s business processes and that resources are available for its effective operation. Top management must provide leadership to those who contribute to the effective operation of the system. They must also encourage leadership in food safety in other management roles. Implications for food safety professionals The emphasis on “leadership and commitment” is perhaps the most significant requirement and fundamental change contained in ISO 22000:2018, although the actual impact will depend very much on the current position of each individual organisation. quality.org | 19 “When ISO 22000 uses the term ‘top management’, it is referring to a person or a group of people who direct and control an organisation at the highest level” For those organisations whose most senior members currently play an active role in driving the FSMS forward, the revised requirements will likely involve a formalisation of current practice. However, for those organisations where top management have little involvement in the FSMS, effectively devolving responsibility for their FSMS to other levels in the organisation, the impact of the requirement of this clause will be significantly greater. Where the word “ensuring” is applicable to an activity within the standard, top management may still assign this task to others for completion. Where the words “promoting”, “taking”, “engaging” or “supporting” appear, these activities cannot be delegated and must be undertaken by top management themselves. Top management will need to be made aware of the revised requirements including the fact that they will be audited as a matter of routine and on a wide set of issues. Food safety professionals can help to support top management in fulfilling their revised responsibilities by suggesting strategy options, encouraging personal development and regularly reporting on all aspects of the FSMS. When ISO 22000 uses the term “top management”, it is referring to a person or a group of people who direct and control an organisation at the highest level. Implications for audit professionals Auditors must ensure that they are well equipped to interview top management in respect of their leadership and commitment to their FSMS. To be effective and gain the respect of top management, auditors will need to have a good understanding of corporate affairs, of management roles, of the organisation they are auditing and the business context surrounding it. They will have to be able to engage with top management on a range of subjects by conversing in an intelligent way. Auditors who fail to adequately prepare for top management interviews will risk damage to their reputation and that of the auditing profession. For many auditors, this implies developing revised and enhanced knowledge, skills and behaviours. There will not be much documented information as evidence of leadership and commitment. Gathering evidence from top management will mainly involve discussion and cross-checking of responses with other members of the organisation being audited. Audit trails across the FSMS will reveal the extent to which leadership and commitment are exercised in the system. 20 | ISO 22000:2018 | Understanding the international standard 5.2 Food safety policy INTERPRETATION Top management must establish a food safety policy that is consistent with the purpose and context of the organisation. The policy represents a top management commitment on how to ensure the alignment of food safety management to the long-term strategic intentions of the organisation. It must additionally provide a framework for setting and reviewing food safety objectives. Two specific commitments have to be included in the policy: to comply with legal and agreed customer requirements, and to continually improve the FSMS. It is the responsibility of top management to review and maintain a documented food safety policy, to communicate it within the organisation, to ensure that it has been understood and to make it available to interested parties. Implications for food safety professionals As it is top management themselves who are required to establish a food safety policy, they should not devolve this task to food safety professionals, and by the same token, food safety professionals should not be tempted by top management to do the job for them (e.g. to draft a policy to be reviewed by top management and who may then sign it without due consideration of its contents). Food safety professionals can support top management by ensuring that they are aware of the policy requirements in the standard and by reviewing their draft policy for conformance. Implications for audit professionals Auditors should discuss the policy in detail directly with the top management. If they are redirected to a management representative or food safety team leader, this probably has implications regarding top management commitment. The requirement to determine that the food safety policy is appropriate to the purpose and context of the organisation reinforces the need for auditors to establish their personal understanding of the context that the audited organisation is operating in. However, from an auditor perspective it is important that top management can demonstrate, from their own understanding, that the policy is compatible with the strategic direction and context of the organisation and that it has been communicated and understood throughout the organisation. quality.org | 21 Communication of the policy could be demonstrated by posters on the walls, but effective communication is two-way. Therefore, auditors should also ask staff about their understanding of the organisation’s policy. 5.3 Organisational roles, responsibilities and authorities INTERPRETATION The top management of the organisation needs to ensure that defined responsibilities and authorities are assigned to individuals in the organisation to carry out FSMS-related activities under their control. Specifically, they need to assign responsibility and authority for: » ensuring that the requirements set out in ISO 22000 are met » reporting on the operation of the FSMS » appointing a food safety team and team leader Top management must ensure that such responsibilities and authorities relating to the organisation’s FSMS are communicated and understood within the organisation, along with the reporting of any food safety issues to designated staff. Implications for food safety professionals Assigning roles within the FSMS is the responsibility of top management. A food safety team leader and their team play a vital role in the effective operation of the FSMS, and they can and should support top management by providing strategy options, nominating roles for individuals or teams, suggesting personal development opportunities, and assisting with communication throughout the organisation, etc. However, ownership of the FSMS must not centre on these individuals to the effective exclusion of top management. The organisation may have to revisit the existing responsibilities and authorities with regard to the FSMS, especially the responsibilities of top management and any food safety team leader. The review may identify gaps in resources, including gaps in competence which will then need to be addressed before a compliant system can be established. 22 | ISO 22000:2018 | Understanding the international standard “FSMS planning is an ongoing activity which must continue throughout the life of the system, in the perpetual PDCA cycle” Implications for audit professionals Auditors must seek evidence that all personnel have not only been advised of their food safety responsibilities and authorities, but that they also understand these in the context of what the FSMS is trying to achieve. Auditors should note that there is a requirement for top management to appoint a food safety team and team leader. 6 Planning Planning in management systems is often viewed as something that relates mainly to setting up the system. While this is very important, the standard makes it clear that FSMS planning is an ongoing activity which must continue throughout the life of the system, in the perpetual PDCA cycle. quality.org | 23 6.1 Actions to address risks and opportunities INTERPRETATION As part of risk-based thinking, organisations are required to consider their context (4.1), the relevant requirements of their relevant interested parties (4.2) and the scope defined for the FSMS (4.3) when determining risks and opportunities. This means thinking about the internal and external issues they face, the requirements of interested parties within the defined scope of the FSMS, and the impact this may have on systems and processes. Note that risk-based thinking not only applies to product and process operations as part of the HACCP process but to business and system functions in relation to food safety. The scope of planning should be wide enough to provide assurance that the FSMS is able to achieve its intended results, to prevent or reduce undesired effects, and to achieve continual improvement. For every external and internal issue and for every relevant need and expectation of an interested party, a risk source may be identified. The determination of risks and opportunities should be carried out at both strategic and operational levels: » those directly related to operational processes can be defined as “food safety risks” and “food safety opportunities” » those related to strategic levels can be defined as “risks to the FSMS” and “opportunities for the FSMS” In the case where determination of risk or opportunity requires action, the standard requires a planned and systematic approach with respect to these actions, with the actions being integrated into the FSMS or other business processes when practicable. Subsequently each action must be evaluated to determine whether it was effective. Implications for food safety professionals The requirement for organisations to determine those risks and opportunities that have the potential to affect the operation and performance of their FSMS, both positively and negatively, presents a new challenge for food safety professionals. This extends the work of the food safety professional to interacting with top management, since these risks and opportunities will be related to organisational issues. 24 | ISO 22000:2018 | Understanding the international standard “Auditors should ensure that the organisation is taking a planned and structured approach to addressing risks and opportunities” There is no specific requirement for a formal organisation-wide risk management or for a complicated risk management methodology (e.g. complex tables or grading scales of formulae) since the level of complexity of the methodology depends on the complexity of the business and the nature of the hazards, events, risks and opportunities determined. Actions taken to address risks and opportunities should be in proportion to the potential impact of the risk and opportunity on food safety or on the FSMS. However not all risks and opportunities need actions. For example, organisations may take an informed decision to accept the risk, taking no action beyond identifying and evaluating it, including ongoing evaluation. The actions planned may include establishing objectives (see 6.2 below) or incorporating the action into other FSMS processes. Subsequently, organisations need to evaluate the effectiveness of those actions. Implications for audit professionals Auditors should seek evidence that confirms that an organisation has an appropriate and consistently applied methodology in place to effectively identify risks and opportunities in the planning of their FSMS. Auditors must clearly understand the difference between “operational” and “strategic” risks and opportunities and decide who, within the audited organisation, should be interviewed. It is likely that “operational” risks would be audited with the food safety team, operational supervisors and non-managerial workers, while “strategic” risks would be audited with members of the top management and FSMS management. The role of the auditor is not to carry out their own determination of risks and opportunities, but to ensure that the organisation is applying its own methodology consistently and effectively. However, where the auditor’s knowledge of the context of the organisation reveals that the organisation has failed to identify a commonly known risk or opportunity, they may question the organisation’s approach. Auditors should ensure that the organisation is taking a planned and structured approach to addressing risks and opportunities. For those actions that have been completed, auditors should ensure that each action’s effectiveness has subsequently been assessed. They should also ensure that the action taken was proportionate to the risk or opportunity by determining the reason behind it. Auditors must ensure they have a good understanding of the concepts of risk and opportunity in the context of the FSMS and of the range of methodologies that organisations may use to manage these areas. quality.org | 25 6.2 Objectives of the food safety management system and planning to achieve them INTERPRETATION The definition of objective is “result to be achieved”. Note that an objective can be expressed in different ways, e.g. as an intended outcome, a purpose, an operational criterion, as a food safety objective, or in terms with similar meaning (e.g. aim, goal, or target). The term “FSMS objective” narrows down the broader meaning of “objective” to mean an objective set by the organisation to achieve specific results consistent with the food safety policy. An FSMS objective may be defined at various levels: strategic, cultural, project, product, service or process. This clause applies only to “FSMS objectives” and requires organisations to set them for relevant functions, levels and processes within its FSMS. It is up to the organisation itself to decide which functions, levels and processes are relevant. It would be expected that the organisation would prioritise objectives to deal with, for example, the hazards associated with the highest risk factors. The organisation has to define objectives in order to maintain and continually improve its FSMS and its food safety performance. This means that organisations may set objectives on some processes to ensure that a certain level of performance is maintained, and on other processes to achieve a performance improvement. When defining its objectives, the organisation must take into account the results of the assessment of risks and opportunities, the requirements of the standard and the applicable legal requirements. Any objectives set must be measurable or capable of performance evaluation, communicated and updated as appropriate. They must also be monitored in order to determine whether they are being met. Setting objectives is not a one-off activity. It should be an ongoing, recurring process that plays an important role in the continual improvement of the FSMS. The organisation has to maintain and retain documents providing information on the FSMS objectives and its plans to achieve them. 26 | ISO 22000:2018 | Understanding the international standard Implications for food safety professionals Food safety professionals need to be aware that, as mentioned above, the use of “objectives” is not limited to improvement processes. An objective may be set in order to maintain a certain level of performance. Organisations may need to define objectives at different levels. When doing so, they need to ensure the alignment of those objectives to their strategic direction. Note that the concept of a “target” used in other management system standards is contained within the term “FSMS objective”. There is no material difference between objectives and targets in ISO 22000. Objective planning includes what needs to be done, but also what resources will be required to do it, who will do it, when it will be completed and how it will be evaluated in order to determine if results have realised the objective. Food safety professionals will need to interact with most, if not all, functions of the organisation in order to facilitate the setting of objectives. Implications for audit professionals Auditors will need the competence to audit a set of interrelated objectives, ensuring that they are mutually consistent and aligned with the strategic direction of the organisation, particularly those relating to improvement of the FSMS. Auditors should look for evidence that effective planning is taking place to support the achievement of the organisation’s FSMS objectives, including the use of measurement or monitoring indicators, which need to be audited in detail. quality.org | 27 6.3 Planning of changes INTERPRETATION Change management in the FSMS is an important requirement that needs to be carried out and communicated in a planned and orderly manner. This includes changes to personnel, especially those who have an impact on the FSMS such as food safety team leaders and members. This requirement strengthens that previously in the 2005 version of the standard (clause 5.3) by adding factors such as the purpose of change, its consequences, resource needs and allocation of responsibilities to be considered. Such factors are likely to involve top management. The standard does not require organisations to keep change planning considerations in documented form. However, it would be wise, for control and demonstration purposes, to record this information e.g. in minutes of management meetings. Implications for food safety professionals Changes to the FSMS can have an impact on many interrelated processes so food safety professionals have to ensure that the integrity of the system is maintained throughout the change process and beyond. This will likely require greater consultation with top management and management of other functions before any changes are made. Food safety professionals can advise on competence needs where personnel changes are envisaged, and recommend any need for the setting of new objectives or changes to existing objectives. Changes to risk management strategies, both corporate and operational, will benefit from the input of food safety professionals. 28 | ISO 22000:2018 | Understanding the international standard “The standard does not require organisations to keep change planning considerations in documented form” Implications for audit professionals Changes to the FSMS have the potential to render it vulnerable to failing due to unintended consequences or omissions, resulting in a risk to food safety. Auditors need to ensure that the change process is robust and consistently applied. In the absence of documentation, auditors will need to gather evidence through interviews with top management, food safety team leaders and members and managers of relevant functions. Understanding of what the change means for the FSMS needs to be combined with an understanding of how it is implemented and whether it is working effectively. 7 Support Clause 7 is part of the “Do” step of the PDCA cycle, where necessary resources are considered in order to be able to do what was planned in clause 6. 7.1 Resources 7.1.1 General INTERPRETATION The organisation must initially determine and provide the resources necessary to establish, implement, maintain and continually improve its FSMS. Release of resources is a function of management at the top level of the organisation. The extent of the provision of resources can be a limitation on the effectiveness of the FSMS. Examples of resources include people, raw materials, infrastructure (including buildings, equipment and utilities), finance, IT and software, communications and emergency containment, all of which can be either internally or externally provided. Implications for food safety professionals Food safety professionals should ensure that the different types of resources needed for the FSMS are identified. Resources can be tangible or intangible, such as intellectual property. Implications for audit professionals Auditors should check that the organisation has identified all types of resources required by the FSMS, and that those resources will be available when needed. There are likely to be budgetary considerations relating to the management of resources. quality.org | 29 7.1.2 People INTERPRETATION In addition to ensuring the competence of its own people, the organisation must ensure that external experts brought in to provide any assistance with the FSMS are themselves competent. Evidence of this must be documented, including any agreements or contracts involved. Implications for food safety professionals Food safety professionals should ensure that the different competences needed for the effective operation of the FSMS are identified and fulfilled. They can be involved in drawing up job descriptions which include qualification requirements as well as interviewing key recruits to the defined roles. Food safety professionals have a vital role to play in selecting and managing external experts to advise or work on aspects of the FSMS. They are likely to work alongside such experts or manage their contributions, as well as informing top management on the progress of any projects. Implications for audit professionals Since the employment of competent personnel is a key foundation of the FSMS, audit professionals need to ensure that the processes for identifying competence needs and fulfilling these needs are consistently implemented. This includes the processes used to contract with external experts who may impact the FSMS. 30 | ISO 22000:2018 | Understanding the international standard 7.1.3 Infrastructure INTERPRETATION The requirement for suitable infrastructure for the effective implementation of the FSMS is again emphasised with an additional requirement for the determination of infrastructure needs as well as the necessary resources to allow its establishment and maintenance. New notes underline the wide coverage of such infrastructure to include property, utility services, equipment, software, transport and IT. Implications for food safety professionals Food safety professionals place high importance on adequate infrastructure being in place to assure food safety. They could now be expected to contribute to the identification of infrastructure needs and report to management on the level of resources needed. Food safety professionals may need to add to their skillset to be able to deal with issues such as the software products and IT technology used in the FSMS in addition to the physical aspects. Implications for audit professionals Many of the infrastructure needs for food safety are specified in regulations which auditors will need to take into account. Others relate to prerequisite programmes which the FSMS may need to incorporate as set out in the relevant technical specification, ISO/TS 22002 (all parts). In addition, auditors will use their sector knowledge to evaluate whether the appropriate infrastructure needs have been determined. The use of information technology in both the management and operations of the organisation may present an additional challenge to auditors’ skills. quality.org | 31 “The standard does not require organisations to keep change planning considerations in documented form” 7.1.4 Work environment INTERPRETATION The work environment – as distinct from infrastructure – is likely subject to requirements set by regulations to assure food safety. The accompanying notes identify these as being human and physical factors which may be social, psychological and physical, and which will differ depending on the products and processes involved. There is an additional requirement for the determination of work environment needs as well as the necessary resources to allow the establishment and maintenance of the environment. Implications for food safety professionals Food safety professionals should be very familiar with the work environment that needs to be in place to assure food safety. They could now be expected to contribute to the identification of work environment needs and report to management on the level of resources needed. Food safety professionals may need to add to their skillset to be able to deal with issues such as social and psychological factors in addition to the physical aspects. Implications for audit professionals Many of the work environment needs for food safety are specified in regulations which auditors will need to take into account. Others relate to prerequisite programmes which the FSMS may need to incorporate, as specified in ISO/TS 22002 (all parts). In addition, auditors will use their sector knowledge to evaluate whether the appropriate work environment needs have been determined. The inclusion of social and psychological factors in the work environment of the organisation may present an additional challenge to auditors’ skills. 32 | ISO 22000:2018 | Understanding the international standard 7.1.5 Externally developed elements of the food safety management system INTERPRETATION This new requirement recognises that some organisations may wish to bring in outside help to contribute to some elements of the FSMS, e.g. PRPs, hazard analysis and hazard control plans. In this case, the organisation needs to ensure that such elements conform to the standard and correctly apply to the products, processes and site operations of the organisation. The work done must have the oversight of the food safety team to ensure that it fits in with the organisation’s products and processes. Such work should become part of the FSMS in terms of implementation and maintenance, in accordance with the requirements of the standard. It should also be retained in documented form. Implications for food safety professionals Elements of the FSMS may need to be developed by external resources due to the need for specialist input, e.g. microbiological, chemical or consultancy services. In this case, food safety professionals can coordinate such input to ensure compatibility with the organisation’s products and processes. On completion of the work, food safety professionals may take over responsibility for the maintenance and updating of these elements. Implications for audit professionals Audit professionals need to evaluate the processes used to assign and manage the contributions of externally developed elements of the FSMS in the same way as they would review any other part of the system. They may review this work on a project-by-project basis and should evaluate the effect of the work on the FSMS overall, including the involvement of the food safety team. The general principle is that external contributions are to be handled in a way that allows the integrity of the FSMS to be maintained at the same level as with internally developed contributions. This should be the auditor’s focus. quality.org | 33 7.1.6 Control of externally provided processes, products or services INTERPRETATION This new requirement adopts a similar principle to that in 7.1.5, so that the outsourcing of processes, products and services is managed in such a way that the integrity of the FSMS is maintained. This means that suppliers and subcontractors should be subject to defined standards for their evaluation, selection, monitoring and re-evaluation. In other words, a consistent procurement process needs to be implemented from a food safety perspective. The purpose of this disciplined approach is to ensure sufficient control by the organisation of outsourced elements coming into the FSMS. The organisation has a duty to adequately communicate its needs and retain documentation of the whole process, including any actions taken as a result. Implications for food safety professionals Food safety professionals can use their expertise to contribute to management of the procurement of outsourced elements provided by external resources. In this case, food safety professionals can provide technical advice to ensure compatibility with the organisation’s FSMS processes. They should contribute to the evaluation and selection of suppliers and subcontractors from a food safety perspective and participate in decisions on any actions taken. Implications for audit professionals Audit professionals should evaluate the whole procurement process employed to obtain products, processes or services relating to food safety from external sources. This includes the necessary management input and contributions of the food safety team. The documentation to be retained should provide a valuable source of evidence for review. 34 | ISO 22000:2018 | Understanding the international standard 7.2 Competence INTERPRETATION This clause is designed to ensure that both staff and external providers are knowledgeable of the hazards and risks to food safety associated with their working environment, and possess the competence to ensure an effective FSMS. The organisation must determine the competence requirements for all personnel who affect, or could affect, food safety performance. Once these competence requirements have been determined, the organisation must then ensure that those personnel possess the necessary competence, on the basis of the appropriate combination of education, training or experience. The standard singles out the food safety team which, as a whole, must have the multi-disciplinary competences required. If those competences do not exist, the organisation is required to take action (e.g. remedial training, recruitment or the use of external people) in order to acquire the necessary competence. The effectiveness of the actions taken in raising competence to the required level needs to be evaluated. Organisations need to maintain and retain documented information as evidence of competence. Implications for food safety professionals Competence is defined as the “ability to apply knowledge and skills to achieve intended results”. Training is one of the ways organisations can achieve the necessary competence. Food safety professionals can contribute their knowledge to the training of others. Food safety professionals can assist the organisation in determining the competence necessary for each role. In many countries, the law requires that food safety training be provided to relevant staff involved in handling food products. quality.org | 35 “Food safety professionals can assist the organisation in planning systematic activities to ensure a good level of awareness of food safety among all personnel” Implications for audit professionals Auditors should verify whether organisations have determined the necessary competence with regard to food safety for each role, and assess how they can ensure that competence requirements have been met. Simply recording staff training may not be sufficient to demonstrate competence as defined in the standard. The effectiveness of the training must be demonstrated. Problems with competence often show up in other parts of the system e.g. internal audit, nonconformities and emergency situations. Another key issue that auditors need to verify is whether or not competence is kept up-to-date. If it is not, then knowledge, skills, and behaviours can become outdated due to changes in the organisation, technology or processes. 7.3 Awareness INTERPRETATION Awareness is knowledge-based and there are explicit requirements for people performing work under the organisation’s control to be aware of its food safety policy, any food safety objectives that are relevant to them, how they are contributing to the effectiveness of the FSMS and the implications of not conforming to food safety requirements. Implications for food safety professionals Food safety professionals can assist the organisation in planning systematic activities to ensure a good level of awareness of food safety among all personnel – managerial and non-managerial – and among interested parties such as visitors. Regular training activities conducted by food safety professionals can help to ensure that awareness of food safety issues is maintained at an acceptable level. Implications for audit professionals Auditors will have to conduct interviews with personnel at all levels to verify whether food safety awareness is at an acceptable level. Note that the standard does not require records of awareness training to be kept, although in some countries this is a legal requirement. 36 | ISO 22000:2018 | Understanding the international standard 7.4 Communication INTERPRETATION This requirement is similar to the 2005 version and encompasses all internal and external communication relating to an FSMS. Organisations need to develop and implement a process to determine those matters relating to the management system on which it wishes to communicate, the timing of such communications, their target audience and the method of delivery. The standard specifies the extent of external communication needed in relation to food safety.This includes external providers, customers, consumers, statutory authorities and any other organisations that are relevant to the FSMS. The process has to ensure that: » all external communications are handled by designated personnel » appropriate communication is an input to management review and updating of the FSMS » documented information is retained as evidence of communications, as appropriate Internal communication processes must cover changes to a range of issues across the FSMS including raw materials, products, processes, equipment, infrastructure, legal requirements, cleaning programmes, technology, competences and any other changes which can impact food safety. Implications for food safety professionals Food safety professionals have a key role to play in the quality of communication, by making sure that it is reliable, consistent, transparent, appropriate, complete, factual, accurate, able to be trusted, and understandable to interested parties.They can advise on what needs to be communicated both internally and externally as well as deal with updating needs and providing communication input to the management review. Implications for audit professionals Auditors should ensure that the organisation has identified external and internal communications that need to take place in respect of the operation of its FSMS and that appropriate documented evidence is retained of these communications. Although documentary evidence should be available, auditors should also conduct interviews with key personnel to determine the effectiveness of communications in the FSMS. Auditors should be aware that key factors in an effective communication process are: » the quality of the information » the methods used for communication quality.org | 37 7.5 Documented information INTERPRETATION Mandatory documents include the documented information required in ISO 22000 and additional information identified by organisations as necessary for the effective operation of their FSMS. Note that there is no requirement for “documented procedures” in the standard, but “documented information” includes documentation of processes as well as records in the FSMS. The extent of documented information can differ between organisations due to their size, complexity and the competence level of personnel. The document control requirements common to other management systems apply, i.e. when documented information is created or updated, the organisation must ensure that it is appropriately identified and described (for example by the title, date, author or reference number).The format of information (e.g. the language, software version and graphics) should be appropriate, and it should be delivered on an appropriate medium (e.g. paper or electronic). Documented information must be reviewed and approved for suitability and adequacy. Organisations are required to control documented information in order to ensure that it is available where needed and is suitable for use. It must also be adequately protected against improper use, loss of integrity and loss of confidentiality. Organisations must determine how they will: » distribute, access, retrieve and use documented information » store and preserve documented information » control any changes to the documented information » retain and dispose of documented information Organisations are also required to identify any documented information of external origin that they consider necessary for the planning and operation of their food safety management systems. Such documentation must be identified and controlled. Note that there is no requirement for documented information to be maintained or retained for the document control process itself, unless the organisation deems it necessary. 38 | ISO 22000:2018 | Understanding the international standard “Food safety professionals can assist top management in determining which documented information would be beneficial in the FSMS” Implications for food safety professionals Food safety professionals can assist top management in determining which documented information would be beneficial in the FSMS, in addition to the mandatory documentation specified throughout the standard, which is summarised in Appendix A. This may be used for different purposes, e.g. accountability, consistency, training or transparency. Where organisations choose to hold their documented information in electronic forms, there may be a need to establish access controls (i.e. user logins and passwords) and authorisation levels in order to ensure controls are appropriate. Organisations will need to consider how such systems are to be protected in the event that IT systems break down, and how access to the documented information can be preserved if IT systems are unavailable. They will also be required to demonstrate how the integrity of their documented information is maintained. This involves issues of cybersecurity, backup systems, technology settings etc. Implications for audit professionals Auditors will have to audit without relying on documented procedures when gathering evidence. They will need to use interview and observation skills more often to obtain evidence. Auditors will increasingly access and use electronic systems in order to evidence how organisations control their documented information. This could require additional competences in the technologies employed. 8 Operation This section focuses on management and control of the operational processes of the FSMS conducted by the organisation for the purpose of establishing and maintaining food safety. It specifies comprehensive methods for dealing with food safety hazards and the controls necessary for effective food safety within the context of an FSMS. quality.org | 39 8.1 Operational planning and control INTERPRETATION Organisations need to plan, implement and control their operational processes, including outsourced processes, by establishing operating criteria and implementing control of the processes in accordance with these operating criteria. Organisations need to maintain and retain documented information to the extent necessary to have confidence that the processes will be carried out as planned. In other words, the organisation decides which documented information on the operational processes will be under the control of the FSMS. Implications for food safety professionals Food safety professionals can help the organisation to clearly define the degree of control needed for internal and outsourced processes. They can help with establishing the associated operating criteria, advise on the effects of planned changes, review the consequences of unplanned changes and provide input into any subsequent decisions by management. Implications for audit professionals Since activities and processes conducted by the organisation, its suppliers and subcontractors are covered by the organisation’s FSMS, they are subject to internal audit and, possibly, external audit. Auditors may use risk-based criteria to decide which ones need to be audited more frequently, especially those internal processes, contractors or outsourced processes that deal with high-risk hazards. 40 | ISO 22000:2018 | Understanding the international standard 8.2 Prerequisite programmes (PRPs) INTERPRETATION The requirement to establish prerequisite programmes (PRPs) is similar to the previous 2005 version of the standard, with the added requirement for the guidance in all parts of the technical specification ISO/TS 22002 to be considered along with other codes. PRPs must also be updated when appropriate. They can apply to products, processes or the work environment. Appropriate PRPs may be implemented either across the production system or for specific products or processes, and approved by the food safety team. A range of issues needs to be considered when selecting PRPs, including receipt of raw materials, products, processes, equipment, infrastructure, legal requirements, cleaning programmes, support services and any other factors that can affect food safety. PRPs need to be monitored and verified as effective for the prevention or reduction of contaminants wherever they may occur. Documentation associated with the selection, establishment, monitoring and verification of the programmes must be retained. Implications for food safety professionals The input of food safety professionals is vital to the implementation of PRPs in the FSMS.They can bring their expertise to bear on the types of programmes needed, the work practices to follow and the methods for effective monitoring and verification. Given the wide range of PRPs likely to be needed, food safety professionals can use their knowledge and skills to assist in selecting programmes and in selecting external suppliers and providers of services such as laboratory testing, pest control, transportation and storage. They should also be aware of changes to legal requirements which may have an impact on PRPs. Implications for audit professionals Audit professionals must allow sufficient time in audit plans for evaluation of the PRPs implemented in the FSMS. Their knowledge will need to encompass the guidance in all parts of ISO/TS 22002 as well as the latest codes of practice. This evaluation needs to include the reasoning behind the selection of PRPs and their monitoring and verification. The food chain sector-specific knowledge of audit professionals will be of increased importance in determining the adequacy of PRPs. Good awareness of sources of contamination associated with products, processes and services, whether internal or external, will be essential. quality.org | 41 “The requirement to maintain and retain documentation of the traceability system should assist audit professionals with their evaluation of its integrity” 8.3 Traceability system INTERPRETATION Traceability of materials and products through the food chain is an established feature of food safety management systems. The requirements have been strengthened to include, as a minimum, the consideration of factors such as tracking materials, ingredients and intermediate products to the end products, reworking processes, end product distribution and compliance with legal requirements. For the traceability system to be effective, documentation needs to be retained and maintained for a predefined period of – at least – the shelf life of the associated product. A new requirement is the need to verify and test the effectiveness of the traceability system in the FSMS. In this context, reconciliation of quantities of inputs to output products is expected to be demonstrated. Implications for food safety professionals Food safety professionals should be familiar with the elements of a traceability system which can identify and track materials, ingredients and products through the organisation’s processes. They can provide practical advice for dealing with traceability of batches and lots of materials in whatever form they exist, e.g. powder, liquids, solids etc., including the required documentation. Food safety professionals should be able to set up and maintain the new verification and test regimes necessary to demonstrate the effectiveness of the traceability system. Implications for audit professionals The requirement to maintain and retain documentation of the traceability system should assist audit professionals with their evaluation of its integrity. They should verify the effectiveness of the system itself as well as reviewing the methodology employed to reconcile inputs with outputs to demonstrate that it is reliable. 42 | ISO 22000:2018 | Understanding the international standard 8.4 Emergency preparedness and response INTERPRETATION The standard requires the organisation to establish, implement and maintain processes to prepare for emergency situations and to respond if they occur, in order to protect food safety. The emergency situations to be covered may originate inside or outside the organisation and have the potential to affect the food safety management system, including breach of legal requirements. Organisations have to ensure that emergency plans are ready to be triggered and that they have the capability to respond effectively to emergency situations and incidents to mitigate the impact on food safety. In order to do so, the planned response actions need to be tested, reviewed and revised if necessary, in particular after the occurrence of actual emergency situations and after tests. Interested parties need to be made aware of these arrangements (and when necessary, trained) if they are required to participate in the emergency response, or if they may be affected by the emergency situation. Personnel, in particular, should be informed of their duties and responsibilities in emergency situations. Organisations need to maintain and retain documented information on their emergency response processes and plans. This may include response procedures, data to be communicated, test results, training records and improvement action plans. Implications for food safety professionals Food safety professionals can deploy their expertise not only in developing processes and plans, but also in communicating them to all parties potentially involved in emergencies, and testing them in drills. They can take a lead in emergency responses, keeping people informed, providing any necessary training, generating the required documented information and finally, keeping all involved parties updated and alert. The emergency preparedness and response processes may include the training of emergency teams, a list of key personnel and aid organisations, contact details of key interested parties, evacuation routes and assembly points, and the possibility of assistance from neighbouring organisations. quality.org | 43 Implications for audit professionals Unless emergency response tests are being conducted at the time of audit, auditors will have to rely on interviews and documentation to verify conformity with this requirement. Audit trails could easily follow the PDCA cycle as applied to emergency response processes. The focus of the audit professional should be the potential impacts on food safety and their mitigation. Note that every discrepancy found during the audit of the emergency plans or any incident which occurred during an emergency or drill has to be considered as a nonconformity in the system, and appropriate corrective actions have to be taken in order to prevent its recurrence. 8.5 Hazard control As with the previous 2005 version, the core of the standard is a comprehensive set of requirements for the identification, analysis and, if necessary, control and monitoring of food safety hazards which may not be dealt with by the PRPs. These are based around the principles of HACCP and additional control measures which first appeared in the 2005 version. Changes have been made that clarify and strengthen the application of controls throughout the hazard control process. 44 | ISO 22000:2018 | Understanding the international standard 8.5.1 Preliminary steps to enable hazard analysis INTERPRETATION The standard again emphasises that, in order to conduct a reliable hazard analysis, information needs to be gathered about the regulations, products and processes which relate to the food safety hazards faced by the organisation. This is the responsibility of the food safety team who need to maintain and retain relevant documentation. Comprehensive data needs to be accessed relating to the characteristics of raw materials, ingredients and packaging as well as those of the end products. Information about the source of the item, e.g. animal, vegetable or mineral, now has to be sought and the data has to be kept up-to-date. Data gathered must include the intended use of the product and must specifically identify consumer groups. It must including those groups who may be vulnerable to hazards such as allergens. The food safety team must create sufficiently detailed flow diagrams, including associated processes such as product packaging or process categories with which to conduct the hazard analysis. This documentation must be verified onsite for accuracy and kept up-to-date. As well as the organisation’s processes, the food safety team must document the work environment and facilities surrounding them. This requires more detail than previously, including layout, equipment, seasonal issues, PRPs and any other controls as well as external factors that might influence the measures to be decided. Implications for food safety professionals The work required to satisfy this requirement is likely to be considerable, but should be routine for food safety professionals. A great deal of documented information will be produced, which has to be maintained. This will challenge the administration skills of food safety professionals. The data gathered at this stage of the hazard control process plays a vital part in the determination of controls for food safety. The knowledge and expertise of food safety professionals at this stage should provide an essential contribution to the subsequent hazard analysis process. quality.org | 45 Implications for audit professionals Although the documentation available to audit professionals to work through may be considerable, they can use effective sampling techniques to determine the rigour with which the required information was obtained. Audit professionals need to ensure that this information is both comprehensive and accurate in order for it to provide a sure foundation for the hazard analysis. 8.5.2 Hazard analysis INTERPRETATION Using the prior research, the food safety team are responsible for the identification of all possible food safety hazards at all stages and the determination of their acceptability in the end product. From this deliberation, the need for control measures at any stage can be determined. The scope of this work is very similar to that in the previous 2005 version of the standard, with minor amendments for clarification. An assessment of the identified hazards has to be carried out. Note that this is the organisation’s responsibility, not necessarily that of the food safety team. There is a new requirement to allocate significance to a hazard based on the likelihood of its occurrence in the end product and the severity of any adverse health effects. This is a similar risk assessment technique to that found in other management system standards. Not only the outcome but the methodology used for this assessment has to be documented. From the hazard assessment, the need for control measures needs to be determined using a systematic basis. These can be managed at two levels, as OPRPs (operational prerequisite programmes) or CCPs (critical control points). The control measures themselves should be subject to a risk assessment of their failure based on the likelihood of failure and the severity of any consequences. The control measures also need to be assessed for the feasibility of establishing CCPs or, for OPRPs, action criteria. This is a new requirement which specifies criteria for the monitoring of OPRPs. The management of OPRPs has been brought more into line with the process for managing CCPs. The feasibility of monitoring CCPs or OPRPs and taking timely action on failure to meet the specified criteria also has to be assessed. The methodologies used in conducting these assessments along with the resulting outcomes have to be maintained in documented form. This should include any external requirements such as regulations or customer specifications which may influence the decisions on control measures. 46 | ISO 22000:2018 | Understanding the international standard “A decision on the level of control measures needed for identified hazards is a key feature of the whole process” Implications for food safety professionals The expertise of food safety professionals can be employed to ensure the accurate identification of hazards. They should know what they are, where they are found, their likely impact and the need for their control. Although the food safety team is not specifically tasked with the hazard assessment itself, food safety professionals can contribute their knowledge and skills to this important exercise, including the allocation of significance. A decision on the level of control measures needed for identified hazards is a key feature of the whole process. Whether internal or external, food safety professionals can bring their sector-specific knowledge to bear on the methodology to be employed in the determination of controls and the acceptance criteria to be used. Implications for audit professionals Audit professionals are charged with the responsibility to evaluate the identification and assessment methodologies employed for the food safety hazards and their control at all stages. They should be very familiar with the microbiological, chemical and physical characteristics of those hazards relevant to the part of the food chain and processes being audited. Audit professionals should resist conducting their own hazard identification and assessment process for comparison purposes, but rather assess whether the results of the methodologies employed were complete and reliable. They should evaluate whether the controls and associated criteria selected will successfully eliminate or reduce the hazard to a level acceptable to the organisation. 8.5.3 Validation of control measure(s) and combinations of control measures INTERPRETATION Once control measures are determined, a validation exercise is required to ensure their effectiveness. This requirement is similar to that in the 2005 version, with the addition that the validation methodology needs to be documented along with documented evidence of the capability of the control measure or combination of controls involved. Note that the food safety team is now responsible for validation. The methodology needs to include a process for the modification and reassessment of the control measure by the food safety team in the event of the failure of the control measure in the validation process. quality.org | 47 Implications for food safety professionals Whether internal or external, food safety professionals should be able to advise on the process necessary to validate the relevant control measure or combination of measures stated in the hazard control plan. Their expertise can contribute to the improvements necessary in the event that the control measure is found to be deficient as a result of the validation process. Implications for audit professionals Audit professionals should review the methodology used for validation exercises and assess the outcomes of the testing of the control measures. They should make use of their knowledge of the relevant sector of the food chain to evaluate whether the final control criteria specified are reasonable and consistent with industry practice. 8.5.4 Hazard control plan (HACCP/OPRP plan) INTERPRETATION Although this is a new requirement, it replaces the original requirement for a HACCP plan by requiring the plan to incorporate both CCPs and OPRPs. This standardises the practice already employed by many organisations under the 2005 version of the standard. It aligns the management of OPRPs and CCPs into one document with the same information for a control measure to be applied to each. The hazard control plan must be implemented. The hazard control plan will identify the existence of OPRPs and CCPs in the FSMS, allied to the respective hazard. The rationale behind the decision on which control measure to include should be documented. The critical limits associated with CCPs must be measurable but the action criteria for OPRPs may be either measurable or observable. Both control measures should be monitored but there is an implication that monitoring and measurement of critical limits for CCPs should be treated more rigorously as befits the more serious consequences of their failure. Note that monitoring of OPRPs by observation should be supported by documented instructions. Upon detected failure to meet critical limits, the plan should specify the actions to be taken when the system nonconformity process is triggered. This should involve both correction (addressing the nonconformity) and corrective action (addressing its cause) being taken, and should result in the safeguarding of potentially unsafe food. 48 | ISO 22000:2018 | Understanding the international standard Implications for food safety professionals Production of a HACCP plan should have been a reasonably straightforward task for food safety professionals, so compilation of a hazard control plan with the additional content should not represent too much of a challenge. The bigger challenge may be the decision on whether an OPRP or a CCP is the correct control measure to be documented in the plan along with the determination of critical limits or action criteria for each control measure. The hazard control plan should be kept updated and food safety professionals can provide the necessary input when changes are made to products and processes which trigger a reassessment of hazard controls. Monitoring operations for the control measures are very important, and food safety professionals can contribute their expertise to the decisions on monitoring frequency, calibration of measuring equipment, inspection instructions and evaluation of results. Implications for audit professionals The hazard control plan is one of the key documents that audit professionals should access when auditing the FSMS. It can provide an audit trail back to the processes which resulted in the plan, and a trail forward to the end product and related processes. These trails can embrace methodologies, competences and maintenance of documentation in addition to gathering evidence of food safety activities through observation. Failure of the monitoring process can lead to serious food safety issues due to the potential existence of undetected nonconformities, so audit professionals should ensure that this aspect is thoroughly reviewed. As well as verifying the methodologies employed, they should evaluate the nonconformity management process for its effectiveness in dealing with failure to meet criteria limits. quality.org | 49 8.6 Updating the information specifying the PRPs and the hazard control plan INTERPRETATION This clause essentially repeats the requirements for keeping key documents up-to-date, including the hazard control plan and the documented processes contributing to it. It reminds users that the system is dynamic and must reflect changes to products, processes and systems which can affect food safety. Implications for food safety professionals Part of the responsibility of food safety professionals is to have good awareness of forthcoming changes that can impact the FSMS. They should be proactive in preparing the system for these changes so that updating can take place with the minimum of disturbance. A robust document control process will be essential to meet this requirement. Implications for audit professionals Audit professionals should be well aware of the importance of keeping information up-to-date. As well as reviewing the change control systems, they should use their sector-specific knowledge of changes to legislation, technological developments etc. to determine whether organisations have reliable processes in place to gather information about changes in a timely manner. 8.7 Control of monitoring and measuring INTERPRETATION This requirement addresses the need for known accuracy limits when monitoring or measuring activities are undertaken. It is similar to that in the 2005 version, with additional emphasis on the validation of software products used in the FSMS. Documented calibration results are required, traceable to national or international standards where they exist. Changes and updates to software programmes should be validated before implementation with the associated documentation being retained. Note that unmodified off-the-shelf commercial software is considered to be already validated. 50 | ISO 22000:2018 | Understanding the international standard “Auditors should take steps to familiarise themselves with the functions and parameters associated with the software in preparing for the audit” Implications for food safety professionals Food safety professionals should be well aware of calibration processes for measuring and monitoring equipment. They can advise on calibration frequency, accuracy limits and standards traceability. With the reliance on software, particularly due to the increasing use of robotics and automation, food safety professionals may need to ensure that their knowledge of information technology and related validation techniques is at the correct level. Implications for audit professionals Experienced audit professionals should be very familiar with the processes surrounding the calibration of devices used for monitoring and measurement in a management system. They may not be so familiar with the routines used for testing software functions when validating its use. In this case, auditors should take steps to familiarise themselves with the functions and parameters associated with the software in preparing for the audit. 8.8 Verification related to PRPs and the hazard control plan INTERPRETATION This clause is similar to the clause on verification planning in the 2005 version, with an additional requirement that those conducting verification activities should be independent of those responsible for monitoring or measuring. Verification planning should be carried out, but there is no requirement for this process to be documented other than recording the results of verification activities. Verification outcomes should be analysed as part of the performance evaluation of the FSMS. Implications for food safety professionals Food safety professionals working in an FSMS environment should be managing or conducting verification activities on an ongoing basis as a routine part of the system checks. They can advise on the extent of verification activities and their frequency. Should the verification results indicate problems, they can assist with the decisions on corrective action. Implications for audit professionals Although verification results should be available in documented form, audit professionals will need to interview relevant personnel to determine the extent of verification planning in the FSMS. They need to confirm whether such planning is consistent and ongoing and whether verification personnel are competent and independent. They should also verify that verification results contribute to the performance analysis of the FSMS. quality.org | 51 8.9 Control of product and process nonconformities INTERPRETATION This clause primarily relates to the handling of nonconformities associated with OPRPs and CCPs, although it also applies to product and process nonconformity in general. A new requirement is for monitoring of OPRPs and CCPs to be carried out by designated, competent personnel who can initiate the correction and corrective action processes. The nonconformity management methodology should be documented, and should cover the identification, assessment and corrections necessary for proper handling in addition to a review of the corrections taken. The process must include identification of affected products and processes, the cause of failure and the resulting food safety consequences. Corrective actions which address the root cause of the nonconformity must be considered and, if appropriate, initiated to prevent recurrence. Actions should include a trend analysis of monitoring results and nonconformities raised by external parties such as customers, consumers and regulatory authorities. Documentation relating to corrective actions should be retained. It is important that potentially unsafe food products do not enter the food chain. Accordingly, such products need to be handled in a controlled way which must be documented. Products already released whose food safety is in doubt should be subject to a documented withdrawal process in conjunction with the external party. The standing of all nonconforming products must be evaluated. Nonconforming products resulting from CCP failure shall not be released, but designated for reprocessing, redirecting for other use or disposed of as waste. Nonconforming products resulting from OPRP failure may be released if their food safety integrity can be proven through monitoring, meeting performance standards or testing and inspection routines. Withdrawal or recall of nonconforming products should be conducted by competent personnel who will notify affected external parties, arrange the removal of such products from the food chain and manage the sequence of activities needed for the process. Incidents of withdrawal or recall should be documented and reported for input to the management review. The effectiveness of the withdrawal or recall process needs to be verified by means such as drills of mock incidents. 52 | ISO 22000:2018 | Understanding the international standard Implications for food safety professionals Food safety professionals should be well placed to handle the processes needed for dealing with nonconforming products and processes, including withdrawal and recall situations. They would be expected to meet the competence requirements for monitoring of OPRPs and CCPs in addition to determining the steps to be taken when such monitoring identifies nonconformity. Decisions relating to the disposition of nonconforming product can be informed by the expertise of food safety professionals as they conduct evaluation of the nonconformity. They can also contribute to decisions on whether or not to release product which has been designated as nonconforming through an OPRP failure. Since withdrawal or recall of previously released product is a major event, food safety professionals can underpin this decision by providing advice as to its scope, implementation and safe handling. Testing of the withdrawal or recall process could be overseen by food safety professionals who could identify any improvement opportunities. Implications for audit professionals Audit professionals should be well aware of the processes needed to handle nonconforming situations as they provide fertile ground for several audit trails. Such situations warrant the attention of audit professionals towards product and process controls, personnel competence, traceability systems, verification processes, decision-making, communication and documentation. Auditors should not only evaluate the effectiveness of nonconforming system processes in dealing with all the consequent issues of food safety, but also on how much the performance of the FSMS itself gains from the improvement opportunities presented. quality.org | 53 9 Performance evaluation of the food safety management system INTERPRETATION While the previous section largely focussed on the monitoring and performance of the hazard control process, this new section addresses the overall performance of the FSMS as a whole. 9.1 Monitoring, measurement, analysis and evaluation INTERPRETATION First, organisations must understand what they need to monitor and measure in order to determine the performance of the FSMS and evaluate its effectiveness (e.g. its progress on food safety objectives, characteristics of activities and operations related to the identified hazards, risks and opportunities, the compliance level of legal requirements, and other requirements). This includes the determination of the criteria against which food safety performance will be evaluated, including appropriate measures. As part of the process, organisations have to determine the methods used for accurate monitoring and measurement with calibrated equipment where appropriate. This ensures that analysis and performance evaluation is based on results that are valid. These methods may include, as appropriate, statistical techniques to be applied to the analysis of those results. In addition, organisations must also determine when monitoring and measurement should be carried out, including when the results of monitoring and measurement should be analysed and evaluated. Organisations have to retain appropriate documented information as evidence of the results of monitoring, measurement, analysis and evaluation, with the results providing input to the management review. 54 | ISO 22000:2018 | Understanding the international standard Implications for food safety professionals Food safety professionals can use their experience to ensure that the extent of planning, monitoring and measuring is consistent with the nature of the processes of the FSMS and is compatible with the associated analysis and evaluation. Food safety professionals can ensure that the results of monitoring and measurement are reliable, reproducible and traceable, in order to generate a consistent set of data that can be analysed, using statistical techniques when appropriate. Implications for audit professionals Auditors need to obtain evidence of analysis and evaluation of data obtained from monitoring and measurement relating to the overall performance of the FSMS. Auditors should have a basic knowledge of the sector-specific processes and of the statistical techniques used by the organisation in order to evaluate the effectiveness of the planned arrangements for the system. quality.org | 55 9.2 Internal audit INTERPRETATION This requirement is very similar to the internal audit requirements of most other management system standards, being based on ISO 19011, as referenced in the associated note. The standard contains the requirement for organisations to carry out internal audits at planned intervals in order to provide information as to whether the FSMS conforms to both the organisation’s own requirements and the requirements of the ISO 22000 standard. Internal audits must also provide information that could be used to determine whether the FSMS is being effectively implemented and maintained. This clause also sets out a series of requirements relating to how audit programmes must be structured, what audits must cover, who should undertake audits and how audits are to be reported. The audit programme needs to reflect the importance of the processes concerned, changes in the organisation, risks and opportunities, and the results of previous audits. Each audit needs to have a defined scope and its own audit criteria. Audits and auditors need to be competent, impartial and objective. This means that internal auditors should not audit processes in which they are or have been involved, either in planning or operationally at a managerial or nonmanagerial level. The findings from audits need to be fed back to both the relevant management and the food safety team. Any required corrections and/or corrective actions must be taken in the timescale agreed with the auditee. Documented information needs to be retained to provide evidence that the audit programme has been implemented. Documented information must also exist to provide evidence of the results of audits. Note that documented procedures for internal audits are no longer required. 56 | ISO 22000:2018 | Understanding the international standard “Food safety professionals should note the need to retain documented information evidencing the implementation of an audit programme and the results of audits” Implications for food safety professionals Food safety professionals would normally be expected to have the competence to conduct internal audits of the FSMS, provided they don’t audit processes and systems in which they have been directly involved. The purpose of internal audits is to provide information on whether the FSMS conforms to the requirements of the standard and any additional requirements determined by the organisation. Food safety professionals should be able to determine this from the conduct of the audit programme. The results of internal audits need to be fed back to “relevant management”, i.e. to those individuals best placed to act on the audit findings. Food safety team members also need to be informed of the relevant results. Food safety professionals should note the need to retain documented information evidencing the implementation of an audit programme and the results of audits. quality.org | 57 “Documented information must also be available to evidence the results of audits” Implications for audit professionals The internal audit process itself must also be audited. Audit professionals should access documented information confirming the implementation of an audit programme by the organisation. Documented information must also be available to evidence the results of audits. Audit professionals can learn a great deal about the effectiveness of the FSMS itself by conducting a thorough audit of its internal audit processes. FSMS audit professionals, or internal auditors, are not expected to conduct legal compliance audits but rather to evaluate whether the FSMS processes are effective in ensuring such compliance by the organisation. Auditors of legal compliance require a slightly different skillset to that of management systems auditors. It should be noted that legal compliance audits are not required by the standard. 58 | ISO 22000:2018 | Understanding the international standard 9.3 Management review INTERPRETATION This clause requires reviews of the suitability, adequacy and effectiveness of the FSMS to be undertaken by top management at planned intervals. In other words, top management have to determine, from time to time, the extent to which the FSMS is achieving its intended outcomes. The items that top management must, as a minimum, consider during a management review are actions from previous reviews, changes in the external and internal context, updates in the legal requirements, analysis of verification results, and the results of updates to systems. The reviews should also include information on food safety performance, including trends in: » the achievement of objectives » incidents, nonconformities and corrective actions » results from internal and external audits » results from internal and external inspections Trend analysis is an important function for top management to address because it can reveal whether the outcomes of the FSMS result in safe food for all parties on an ongoing basis. If it is failing in this regard, there are serious implications for the organisation both internally and externally. The management review process should not just look at historical trends but give top management the opportunity to influence the future performance of the FSMS by taking decisions to initiate improvements. They need to address identified weaknesses in the system by making changes, directing strategies for improvement and setting revised high-level food safety objectives. Such decisions need to be documented. Implications for food safety professionals Food safety professionals can contribute to the management review by preparing data on the performance of the FSMS during the relevant period since the previous review. They can supplement this work by making recommendations on future actions. quality.org | 59 “Auditors should expect to assess a strategically focused management review of the FSMS” The management review should be high-level, based on the review of key factors which affect the suitability, adequacy and effectiveness of the FSMS. The management review topics need not be addressed all at once. Although not a common methodology, the review may take place incrementally over a period of time and can be part of regularly scheduled management activities, such as board or operational meetings. It does not need to be a separate activity. Some organisations may ask the food safety professional to prepare all of the information needed for this review along with a draft of the conclusions. For such a contribution to have the maximum effectiveness, the information should originate from each relevant manager, the analysis should be closely reviewed and the associated decisions taken by top management. This is another example of the extensive involvement by top management that the standard expects. Implications for audit professionals Auditors should expect to assess a strategically focused management review of the FSMS. Context, risks and opportunities need to be considered, as well as the alignment of food safety to the organisation’s overall strategic objectives. Auditors should not audit this requirement only by conducting an interview with the food safety professional, who typically has all necessary records to show, but is not likely to be the owner of the management review process. Auditors should definitely audit this clause with top management. In order to do so effectively, they must gather evidence, face-to-face with one or more senior managers, on corporate strategy issues relating to the FSMS that go beyond operational issues. Auditors must be competent to be able to audit at a corporate level. 10 Improvement The principle of focusing on improvement is intrinsic to the FSMS in all areas. There is no such thing as a perfect system, but organisations must strive towards achieving the best possible performance of the FSMS at all times. This section specifies the requirements which can help organisations towards this goal. 60 | ISO 22000:2018 | Understanding the international standard 10.1 Nonconformity and corrective action INTERPRETATION This clause sets out how organisations are required to act when system nonconformity is identified. In such instances, the organisation is required to take whatever action is necessary to control and correct the nonconformity, and to deal with the consequence. A key requirement is to identify the root cause of the nonconformity and take appropriate action to prevent recurrence. While root cause analysis is being performed, organisations may also have to undertake immediate but temporary actions to prevent the continued occurrence of the same nonconformity. This would be the initial correction part of the overall corrective action. Organisations must also review the effectiveness of corrective actions and, if necessary, make further changes to the FSMS itself. Documented information has to be retained as evidence of the nature of the nonconformities that have occurred and of any corrective action taken, including their effectiveness. Implications for food safety professionals Food safety professionals can use their expertise to determine the root cause of incidents and nonconformities, including whether other similar nonconformities exist (or potentially could exist) elsewhere. They are also best placed to suggest at which level the most effective corrective action lies in the hierarchy of controls. Documented information must be retained not only on the results of the actions taken, but also the nature of the nonconformities, as well as any subsequent actions taken. Implications for audit professionals Auditors should gather evidence of the processes in the FSMS that deal with the initial handling of a nonconformity, including the triggering of emergency response if necessary, the evaluation of the root cause, the implementation of correction and corrective action and the subsequent review of its effectiveness. Audit trails could be based on the PDCA cycle associated with this aspect of the FSMS. Audit professionals should ensure that the required documented information is available covering the entire scope of the nonconformity from detection to review of the effectiveness of corrective action. quality.org | 61 10.2 Update of the food safety management system INTERPRETATION The food safety team is charged with the responsibility for updating the management system, especially with regard to the hazard analysis, hazard control plan and PRPs. Periodic reviews should be undertaken without necessarily waiting for changes which might trigger a review. Reviews should be documented, with the results contributing to the management review process. Implications for food safety professionals Food safety professionals working in an FSMS should keep their fingers on the pulse of the system. Periodic reviews of key elements are one way to achieve this. Note that such reviews are different to internal audits as the purpose of the review is not the determination of conformity but the identification of the need for updating to ensure that the system remains as effective as it should be. Implications for audit professionals Audit professionals should verify that the reviews by the food safety team are sufficiently comprehensive to pick up any weaknesses in the system. Documentation should help with this, but interviewing members of the food safety team can also verify the extent of their involvement in the process. 62 | ISO 22000:2018 | Understanding the international standard “The principle of continual improvement is embodied in most other management systems” 10.3 Continual improvement INTERPRETATION The principle of continual improvement is embodied in most other management systems. It is designed to inculcate an organisational culture and mentality of striving to achieve a better performance out of the FSMS overall by seeking opportunities to improve. Actions which top management might take with a view to achieving continual improvement include: » enhancing food safety performance through meeting objectives » promoting a proactive culture that provides support to the FSMS » promoting the participation of all personnel in the identification and implementation of opportunities for improvement » communicating to personnel the results of the improvement actions taken The FSMS should be geared towards continual improvement and the elements of the system can be used to facilitate this. Implications for food safety professionals The food safety professional can facilitate and lead this process of engendering a focus on improvement. Nevertheless, the participation of top management in conjunction with food safety professionals in the review and decision-taking are key factors for achieving a successful improvement process. quality.org | 63 “Auditors should check whether the organisation has implemented the identified opportunities for improvement” Implications for audit professionals Auditors should be able to track the organisation’s improvement processes throughout the whole FSMS. Auditors should seek evidence that organisations are using the outputs from their analysis and evaluation, internal audit and management review processes to identify improvement opportunities and food safety underperformance. They should also verify that the organisation is using suitable tools and methodologies to support its analysis and reviews. Additionally, auditors should check whether the organisation has implemented the identified opportunities for improvement in a planned and controlled manner and whether the whole workforce, from top management to non-managerial workers, participate in the process. Annexes The standard has two annexes containing four tables which provide cross references between the Codex HACCP principles and the relevant clauses of ISO 22000:2018, the structural differences between the 2005 and 2018 versions of the standard, and the detailed cross references between clause 7 (Support) and clause 8 (Operation). These cross references can assist with the transition to the 2018 version. 64 | ISO 22000:2018 | Understanding the international standard 05. Conclusions The revised standard adopts in full the text of Annex SL, with very minor modifications. Therefore, it aligns with ISO 9001 and ISO 14001, with the same structure, same terms and definitions, and same generic text. Organisations will now have a model that integrates food safety into the strategy and decision-making processes at all levels and contributes to their sustainability. Top management will be much more involved in food safety matters and will be challenged to demonstrate their leadership and commitment. Customers and consumers will benefit from enhanced care of their food safety needs due to wider participation of many parties in the development, planning and operation of the FSMS. Food safety professionals will find some change and more involvement in all technical and operational food safety-related issues and will have to be able to interact with top management and to assist top management to discharge their duties and responsibilities. Internal and external FSMS auditors will need adequate time to audit against the revised standards and should consider this in their audit planning. They may need to enhance their knowledge, understanding and skill to audit top management more rigorously. They will need to possess knowledge of corporate working, and to be more aware of business strategies. The publication of the revision to ISO 22000 in 2018 signals the start of a transition period during which those organisations which are already certified to ISO 22000:2005, and wish to transition to the revised standard, will need to make changes to their existing food safety management systems. Note that the transition period, originally set at three years in line with the transition processes for other ISO standards, has been extended by six months, ending 29 December 2021. CQI and IRCA recognise that the revised standard may need considerable support for its introduction. That is why we have committed to supporting our members and certificated auditors, not just through the development stages, but beyond the publication of the revised standard. Whatever your role is in the food safety profession and whatever sector your organisation may operate in, CQI and IRCA will be on hand to provide informed and impartial advice to help you make the transition successfully. quality.org | 65 A. Appendix Summary of required documented information 4.3 Determining the scope of the food safety management system 8.5.2.4.2 Selection and categorisation of control measures 5.2.2 Food safety policy 8.5.3 Validation of control measure(s) and combinations of control measures 6.2.2 FSMS objectives 7.1.2 People 7.1.5 Externally developed elements of the food safety management system 7.1.6 Control of externally provided processes, products or services 7.2 Competence 7.4.2 External communication 8.1 Operational planning and control 8.2 PRPs 8.3 Traceability 8.4 Emergency preparedness and response 8.5.4.1 Hazard control plan 8.5.4.2 Determination of critical limits and action criteria 8.5.4.3 Monitoring systems at CCPs and for OPRPs 8.5.4.5 Implementation of the hazard control plan 8.7 Control of monitoring and measuring 8.8 Verification related to PRPs and the hazard control plan 8.9.2 Corrections 8.9.3 Corrective actions 8.5.1.1 Preliminary steps to enable hazard analysis 8.9.4.1 Handling of potentially unsafe products 8.5.1.2 Characteristics of raw materials, ingredients and product contact materials 8.9.4.2 Evaluation for release 8.5.1.3 Characteristics of end products 8.9.5 Withdrawal/recall 8.5.1.4 Intended use 9.1 Monitoring, measurement, analysis and evaluation 8.5.1.5.2 On-site confirmation of flow diagrams 8.5.1.5.3 Description of processes and process environment 8.5.2.2 Hazard identification and determination of acceptable levels 8.5.2.3 Hazard assessment 66 | ISO 22000:2018 | Understanding the international standard 8.9.4.3 Disposition of nonconforming products 9.2 Internal audit 9.3 Management review 10.1 Nonconformity and corrective action 10.3 Update of the FSMS B. Appendix FSSC 22000 and GFSI The GFSI (Global Food Safety Initiative) benchmarking requirements1 were first created in 2001 by a group of retailers, to try to harmonise food safety standards across the global supply chain. The model relies on certification programme owners (CPOs) meeting the benchmarking requirements and achieving GFSI recognition. Each of the current CPOs offers schemes with obvious similarities (i.e. for food safety in the food chain) though there are some differences in focus. For example, GlobalG.A.P. is focused on agricultural production (extending to some aquaculture) while the Global Aquaculture Alliance is focused specifically on aquaculture. GFSI itself is an initiative of the global Consumer Goods Forum (CGF), which was founded in its current form in 2009, though its origins go back to the middle of the 20th century. The CGF has a membership that includes CEOs and senior management members from many global retail and manufacturing companies.2 The GFSI benchmarking requirements do not constitute a food safety standard in their own right, and food businesses cannot be audited or certified against them. Instead, food businesses need to request audits and certification from certification bodies that offer the various GFSI-recognised schemes (which are managed by the CPOs). Foundation FSSC 22000 is recognised as a CPO by GFSI and is one of around 11 such CPOs – including, as mentioned above, GlobalG.A.P. and the Global Aquaculture Alliance as well as BRCGS, the SQF Institute and others. These organisations offer certification programmes and schemes which certification bodies, in turn, use to audit and certify their clients. 1 https://mygfsi.com/ http://www. meetingmediagroup. com/article/profilethe-consumergoods-forum-cgf 2 https://www. fssc22000.com/ 3 Foundation FSSC 220003 is unique in that it developed its certification programme – the FSSC 22000 scheme – based on the ISO 22000 standard for food safety management systems. It is currently the only GFSI-recognised programme based on ISO 22000 and the associated technical specification for prerequisite programmes (ISO/TS 22002). Foundation FSSC 22000 also offers a scheme for combined FSMS and quality management systems (FSSC 22000 - Quality), which includes the requirements of ISO 9001. quality.org | 67 Acknowledgements CQI and IRCA would like to thank the author, reviewers and contributors for their work on this report. Principal author Ian Dunlop BSc FCQI CQP CQI and IRCA Technical Assessor Reviewers and contributors Erica Colson EMEA Food Sector Propositions Manager, BSI Marta Vaquero Accreditation Specialist - Food and Farm Certification, UKAS 68 | ISO 22000:2018 | Understanding the international standard Sara Walton Sector Lead, Food, BSI Alexander Woods Policy Manager, CQI © 2020 Chartered Quality Institute. All Rights Reserved The Chartered Quality Institute (CQI) The CQI is the chartered body for quality management professionals. It exists to benefit the public by advancing education in, knowledge of and the practice of quality in industry, commerce, the public sector and the voluntary sectors. The International Register of Certificated Auditors (IRCA) IRCA is a division of the CQI and is the leading professional body of management system auditors www.quality.org The Chartered Quality Institute 2nd Floor North, Chancery Exchange, 10 Furnival Street, London, EC4A 1AB Incorporated by Royal Charter and registered as charity number 259678